Divya's Blog

Polymorphic virus

Posted on: May 14, 2011


  • A POLYMORPHIC virus  produces varied but operational copies of itself.
  • These strategies have been employed in the hope that virus scanners (see D1) will not be able to detect all instances of the virus.
  • One method of evading scan string-driven virus detectors is self-encryption with a variable key.
  • These viruses (e.g. Cascade) are not termed “polymorphic”, as their decryption code is always the same. Therefore the decryptor can be used as a scan string by the simplest scan string-driven virus scanners.

A technique for making a polymorphic virus is to choose among a variety of different encryption schemes requiring different decryption routines: only one of these routines would be plainly visible in any instance of the virus (e.g. the Whale virus).

A scan string-driven virus scanner would have to exploit several scan strings (one for each possible decryption method) to reliably identify a virus of this kind.

More sophisticated polymorphic viruses (e.g. V2P6) vary the sequences of instructions in their variants by interspersing the decryption instructions with “noise” instructions (e.g. a No Operation instruction or an instruction to load a currently unused register with an arbitrary value), by interchanging mutually independent instructions, or even by using various instruction sequences with identical net effects (e.g. Subtract A from A, and Move 0 to A).

A simple-minded, scan string-based virus scanner would not be able to reliably identify all variants of this sort of virus; rather, a sophisticated “scanning engine” has to be constructed after thorough research into the particular virus.

  • One of the most sophisticated forms of polymorphism used so far is the “Mutation Engine” (MtE) which comes in the form of an object module.
  • With the Mutation Engine any virus can be made polymorphic by adding certain calls to its assembler source code and linking to the mutation-engine and random-number generator modules.
  • The advent of polymorphic viruses has rendered virus-scanning an ever more difficult and expensive endeavor; adding more and more scan strings to simple scanners will not adequately deal with these viruses.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 6 other followers

Subscribe our Blog

Subscribe
CLUSTER MAPS Locations of visitors to this page

Tweets

Error: Twitter did not respond. Please wait a few minutes and refresh this page.

%d bloggers like this: